ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool ZLoader

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: ZLoader

NamesZLoader
Terdot
DELoader
CategoryMalware
TypeBotnet, Downloader
DescriptionThis family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.
The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.
Information<https://threatvector.cylance.com/en_us/home/threat-spotlight-terdot-a-zloader-malicious-downloader.html>
<https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html>
<https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/>
<https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks>
<https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/>
<https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware>
<https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/>
<https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns>
<https://blog.checkpoint.com/2020/06/04/coronavirus-update-not-the-type-of-cv-youre-looking-for/>
<https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed>
<https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader>
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Zloader>

Last change to this tool card: 08 August 2021

Download this tool card in JSON format

Previous: zl4vq.sqt
Next: ZooPark

All groups using tool ZLoader

ChangedNameCountryObserved

Other groups

 Bamboo Spider, TA544[Unknown]2016-May 2020X

1 group listed (0 APT, 1 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key